Auditors are mostly ok with public/private key pairs.
They don't seem to mind Oracle's wallet.
Key stores seem to be a mixed bag.

As an Oracle DBA, and familiar with the wallet, it makes no sense to me that Oracle wallet is ok, but a read only text file is not. A hacker needs to crack Oracle to get access to the config file, and once they're Oracle, the wallet is theirs to toy with. As is the database ... as are the private keys ... that text file is the least of your problems ...

Whatever you do, don't let the auditors, or the people in your organization who's only job is to handle the auditors, know that you're pondering security considerations, lest every decision you make for the next four years gets forwarded to committee for review. You'll have to quit your job in order to even think about doing another honest day's work ever again. Ever. Like Ever. </rant> Oops, I forgot my opening rant tag. (And apologies to Taylor Swift)